From bc5b26fece2adace660d163a8648d256da2f803b Mon Sep 17 00:00:00 2001 From: "John \"Elwin\" Edwards" Date: Sat, 1 Aug 2015 15:12:11 -0400 Subject: [PATCH 1/4] srogue: open the score and log files when the program starts. Super-Rogue can now use the same privilege-dropping scheme as the other games. --- srogue/global.c | 3 +++ srogue/main.c | 17 +++++++++++++++++ srogue/rip.c | 15 ++++++++------- 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/srogue/global.c b/srogue/global.c index ce3fecb..8f10413 100644 --- a/srogue/global.c +++ b/srogue/global.c @@ -54,6 +54,7 @@ int group = NEWGROUP; /* Current group number */ int hungry_state = F_OKAY; /* How hungry is he */ int foodlev = 1; /* how fast he eats food */ int ringfood = 0; /* rings affect on food consumption */ +int scorefd = -1; /* Scoreboard file descriptor */ char take; /* Thing the rogue is taking */ char runch; /* Direction player is running */ char curpurch[15]; /* name of item ready to buy */ @@ -101,6 +102,8 @@ char illegal[] = { "Illegal command '%s'." }; char callit[] = { "Call it: " }; char starlist[] = { " (* for a list)" }; +FILE *logfile = NULL; + struct coord oldpos; /* Pos before last look() call */ struct coord delta; /* Change indicated to get_dir() */ struct coord stairs; /* where the stairs are put */ diff --git a/srogue/main.c b/srogue/main.c index 816d647..daf235f 100644 --- a/srogue/main.c +++ b/srogue/main.c @@ -34,6 +34,11 @@ #include "rogue.ext" +void open_records(void); + +extern int scorefd; +extern FILE *logfile; + main(argc, argv, envp) char **argv; char **envp; @@ -70,6 +75,7 @@ char **envp; strcat(scorefile,"/"); strcat(scorefile, "srogue.scr"); #endif + open_records(); if(argc >= 2 && strcmp(argv[1], "-s") == 0) { @@ -472,3 +478,14 @@ roguehome() return(NULL); } +void +open_records(void) +{ + if (scorefd < 0) + scorefd = open(scorefile, O_RDWR | O_CREAT, 0666); +#ifdef LOGFILE + if (logfile == NULL) + logfile = fopen(LOGFILE, "a"); +#endif +} + diff --git a/srogue/rip.c b/srogue/rip.c index c1c9020..b44c1a3 100644 --- a/srogue/rip.c +++ b/srogue/rip.c @@ -47,6 +47,9 @@ static char *rip[] = { #define RIP_LINES (sizeof rip / (sizeof (char *))) +extern int scorefd; +extern FILE *logfile; + char *killname(); void writelog(int amount, int aflag, char monst); @@ -140,7 +143,7 @@ int amount, aflag; /* * Open file and read list */ - if ((fd = open(scorefile, O_RDWR | O_CREAT, 0666)) < 0) + if ((fd = scorefd) < 0) return; outf = (FILE *) fdopen(fd, "w"); for (scp = top_ten; scp <= &top_ten[9]; scp++) { @@ -221,11 +224,12 @@ void writelog(int amount, int aflag, char monst) { char logmessage[220], ltemp[80], mlev[40]; char *killer; - FILE *logfi; if (waswizard) return; #ifdef LOGFILE + if (logfile == NULL) + return; sprintf(logmessage, "%d %d %s %d ", time(NULL), amount, whoami, him->s_lvl); if (amulet) @@ -247,11 +251,8 @@ void writelog(int amount, int aflag, char monst) else return; strcat(logmessage, ltemp); - logfi = fopen(LOGFILE, "a"); - if (logfi == NULL) - return; - fprintf(logfi, "%s", logmessage); - fclose(logfi); + fprintf(logfile, "%s", logmessage); + fclose(logfile); #endif return; } From 2e4f161e40a5b0998ee7a7936c89275c0a6e7b13 Mon Sep 17 00:00:00 2001 From: "John \"Elwin\" Edwards" Date: Sat, 1 Aug 2015 16:23:24 -0400 Subject: [PATCH 2/4] srogue: improve privilege handling. Setgid privileges are now dropped when not required. restore() is now less complex. --- srogue/main.c | 2 +- srogue/save.c | 46 ++-------------------------------------------- 2 files changed, 3 insertions(+), 45 deletions(-) diff --git a/srogue/main.c b/srogue/main.c index daf235f..a3d942f 100644 --- a/srogue/main.c +++ b/srogue/main.c @@ -121,7 +121,7 @@ char **envp; #endif if (!use_savedir) - md_droppriv(); + md_normaluser(); /* get home and options from environment */ diff --git a/srogue/save.c b/srogue/save.c index ce82666..e758cdc 100644 --- a/srogue/save.c +++ b/srogue/save.c @@ -131,17 +131,13 @@ game_err(int a) /* * dosave: - * Set UID back to user and save the game + * Save the game. UID/GID no longer get reset here. */ dosave() { FILE *savef; ignore(); - if (!use_savedir) - { - md_resetpriv(); - } umask(022); if (file_name[0] != '\0') { @@ -287,50 +283,12 @@ char *file, **envp; #endif if (!wizard) { -#if defined(HAVE_WORKING_FORK) - endwin(); - if (!use_savedir) - { - while((pid = fork()) < 0) - sleep(1); - - /* set id to unlink file */ - if(pid == 0) - { - md_resetpriv(); - unlink(file); - exit(0); - } - /* wait for unlink to finish */ - else - { - while(wait(&ret_status) != pid) - continue; - if (ret_status < 0) - { - printf("Cannot unlink file\n"); - return FALSE; - } - } - } - else - { - /* Don't drop privileges, they're needed - * for the unlink. */ - if (unlink(file) < 0) - { - printf("Cannot unlink file\n"); - return FALSE; - } - } -#else if (unlink(file) < 0) { + endwin(); printf("Cannot unlink file\n"); return FALSE; } -#endif - } if (him->s_hpt <= 0) { From 3c781f89fe92c209020987dd34314ae3bbe9ad38 Mon Sep 17 00:00:00 2001 From: "John \"Elwin\" Edwards" Date: Sat, 1 Aug 2015 16:31:03 -0400 Subject: [PATCH 3/4] srogue: remove md_droppriv() and md_resetpriv(). These partial privilege-dropping functions are no longer needed. --- srogue/mdport.c | 35 ----------------------------------- srogue/rogue.h | 2 -- 2 files changed, 37 deletions(-) diff --git a/srogue/mdport.c b/srogue/mdport.c index 8c16026..5adc3ba 100644 --- a/srogue/mdport.c +++ b/srogue/mdport.c @@ -1533,41 +1533,6 @@ md_memused(void) #endif } -void -md_droppriv(void) -{ -#if defined(HAVE_GETUID) - uid_t realuid = getuid(); - -#if defined(HAVE_SETRESUID) - if (setresuid(-1, realuid, realuid) != 0) { -#elif defined (HAVE_SETREUID) - if (setreuid(realuid, realuid) != 0) { -#elif defined (HAVE_SETUID) - if (setuid(realuid) != 0) { -#else - if (0) { -#endif - printf("Cannot change to effective uid: %d\n", realuid); - exit(1); - } -#endif -} - -extern uid_t playuid; -extern gid_t playgid; - -void -md_resetpriv(void) -{ -#if defined (HAVE_SETUID) - setuid(playuid); -#endif -#if defined (HAVE_SETGID) - setgid(playgid); -#endif -} - int md_random(void) { diff --git a/srogue/rogue.h b/srogue/rogue.h index 831b3ad..10690e7 100644 --- a/srogue/rogue.h +++ b/srogue/rogue.h @@ -69,8 +69,6 @@ void md_onsignal_exit(void); void md_onsignal_default(void); int md_issymlink(char *sp); long md_memused(void); -void md_droppriv(void); -void md_resetpriv(void); int md_random(void); void md_srandom(unsigned int seed); char *xcrypt(const char *key, const char *setting); From de013693fdd1ecde0d79e8cce78fd9c903e22e1a Mon Sep 17 00:00:00 2001 From: "John \"Elwin\" Edwards" Date: Sun, 2 Aug 2015 12:14:47 -0400 Subject: [PATCH 4/4] srogue: prevent overflowing the score file name. If SCOREFILE is not defined, roguehome() is called to find a directory for the score file. It copies up to PATH_MAX-20 bytes from an environment variable to a static buffer. Later these are strcpy()'d to scorefile, which is of size LINLEN. Unfortunately LINLEN is 80 and PATH_MAX is at least 256. On Linux, it happens to be 4096. I haven't yet managed to crash or exploit it, but there are surely no beneficial consequences, so roguehome() has been modified to check the length, and the string it returns is also checked in main(). --- srogue/main.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/srogue/main.c b/srogue/main.c index a3d942f..9b7b647 100644 --- a/srogue/main.c +++ b/srogue/main.c @@ -69,7 +69,9 @@ char **envp; scorefile[LINLEN - 1] = '\0'; #else - strcpy(scorefile, homedir); + strncpy(scorefile, homedir, LINLEN-11); + if (scorefile[LINLEN-12] != '\0') + scorefile[0] = '\0'; if (*scorefile) strcat(scorefile,"/"); @@ -444,23 +446,25 @@ directory_exists(char *dirname) char * roguehome() { - static char path[1024]; + static char path[LINLEN+16]; char *end,*home; if ( (home = getenv("ROGUEHOME")) != NULL) { if (*home) { - strncpy(path, home, PATH_MAX - 20); + /* LINLEN - 11 is all that will fit into scorefile */ + strncpy(path, home, LINLEN - 11); + if (path[LINLEN - 12] == '\0') + { + end = &path[strlen(path)-1]; + while( (end >= path) && ((*end == '/') || (*end == '\\'))) + *end-- = '\0'; - end = &path[strlen(path)-1]; - - - while( (end >= path) && ((*end == '/') || (*end == '\\'))) - *end-- = '\0'; - - if (directory_exists(path)) - return(path); + if (directory_exists(path)) + return(path); + } + /* Otherwise home was truncated and should be ignored */ } }